Re: Help developing an exploit



Hi,

On Sat, 28 Apr 2007 21:46:08 -0400
"Webster Orkin" <webster.orkin@xxxxxxxxx> wrote:
The problem I've been
having is that my payload ends up at address 0x0012E6B4 and if I try
to get that address into EIP, my entire message is rejected for
containing an x00 character. Here's what I've found about what I can
send:

(23 bytes)(4 bytes - loaded into EAX)(32 bytes)(4 bytes - loaded into
EDX->EIP)(up to 4500 bytes)

from the address, it looks like your buffer is on the stack. Please ignore the
rest of this posting if that's not the case.
The obvious solution would be to look for a byte sequence 0xFFE4 (jmp esp) or
similar in memory mapped at addresses without 0x00 or other forbidden
characters in them. Since you say XML, I assume 0x3c, 0x2f and 0x3e wouldn't
be appreciated either. Once you find such an address, let EDX->EIP point
there, so execution will return to the stack.
You may try OllyDbg and http://www.phenoelit.de/win/OllyUni_0.10.zip for
finding specific byte sequences that may help you getting your code executed.

HIHAL,
FX

--
SABRE Labs GmbH | Felix 'FX' Lindner <fx@xxxxxxxxxxxxxx>
http://www.sabre-labs.com | GSM: +49 171 7402062
Wrangelstrasse 4 | PGP: A740 DE51 9891 19DF 0D05
10997 Berlin, Germany | 13B3 1759 C388 C92D 6BBB
HRB 105213 B, Amtsgericht Charlottenburg, GF Felix Lindner



Relevant Pages

  • Re: RTX2000 optimization
    ... I'll call sub-operators for this thread. ... considered to be "stack assembly instructions" for my Forth. ... The 2>R sequence has six items. ...
    (comp.lang.forth)
  • Re: C to Forth converter?
    ... stack operations to get a lot of stack parameters just right. ... CREATE DOES> SWAP CELLS +; ... ARRAY SEQUENCE #TURNS CELLS ALLOT ... gives you 371 which is the sequence NIP ROT DROP ...
    (comp.lang.forth)
  • Re: Use of VARIABLEs frequent or infrequent? And, C style operators.
    ... So, for the OVER + SWAP sequence, you're _seriously_ telling me BOUNDS ... There is nothing in BOUNDS to convey that it is OVER + SWAP. ... The whole point is that a value 'lives' on the stack, ... without naming at first, then with naming them later. ...
    (comp.lang.forth)
  • Re: Statement on Schildt submitted to wikipedia today
    ... However, what Schildt described was not an abstract stack, but a specific ... but not true -- many compilers will ... support the contention that the standard was designed "to protect profits". ... "Sequence points" were designed to protect profits, ...
    (comp.lang.c.moderated)
  • Re: Use of VARIABLEs frequent or infrequent? And, C style operators.
    ... So, for the OVER + SWAP sequence, you're _seriously_ telling me BOUNDS ... where/how do Forthers use VARIABLEs? ... If you know you're going to be multiplying values ... The whole point is that a value 'lives' on the stack, ...
    (comp.lang.forth)